Highlighted
Trusted Contributor.
Trusted Contributor.
6067 views

Office 365 - NoPermissionsInAccessToken

Jump to solution

Hi all

I am trying to connect MF OO and Office 365 (Azure).

I have created application on Azure Portal, I have asked for API permission (Microsoft Graph – Delegated – Mail. Read, User.Read, Mail.Read.Shared, email, opened, profile) and Administrator granted permissions.

In workflow in Get Authorization Step I have loginAuthotrity = https://login.microsoftonline.com/(tenantId)/oauth2/v2.0/token; resource = https://graph.microsoft.com; loginType = API, clientId, ClientSecret and webproxy populated. I have put result to variable and i can see token in varaible. Next step is Get Message with all inputs populated and token from varible (first step).

When I run workflow I have error on second step “NoPermissionsInAccessToken” with “The token contains no permissions, or permissions can not be understood.”

Labels (1)
Tags (1)
0 Likes
1 Solution

Accepted Solutions
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Hello ivosimic,

 

In order to be able to use delegated permissions there should be a way for the user to register as a logged in user. Mobile apps or websites can do this since the mechanism for becoming a logged in user is a web page of sorts where the user can enter Microsoft credentials. There is no way for OO to display this page and there is no way to register as a logged in user via the API or a library. In order to authenticate, the Office 365 content makes use of tokens obtained from Azure Active Directory, specific for the web or native application that you created. This is the reason why Application Rights are required.

 

Regards,

Madalin

View solution in original post

0 Likes
24 Replies
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Please put the Get Message input values in a table and share them. You can replace any sensitive data with garbled characters.

It's very easy to provide wrong values, the Graph API is convoluted.

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

tnx for help.

since Get Message is complicated i have replaced it with List Messages.

i have three inputs:

authTokeneyJ0eXAiOiJKV1QiLCJub25jZSI6Ikexample
userPrincipalNamejohn_smith@example.onmicrosoft.com
proxyHostproxy.com

 

same error

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

If the access rights have been defined in the Azure Portal, like in the example screen bellow, and the Grant Permissions button has been pressed after the rights were assigned then the only possible explanation is a typo somewhere. Please also show the inputs given to the Generate Auth Token operation.

api.jpg

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

hm.

my azure permissions. i have asked for MS Graph rights and i see in your picture Office 365 Exchange Online grants. is this source of my problems?

Capture.PNG

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Technically Mail.Read rights an be found in both Exchange Online and Graph APIs, this is Microsoft's way of being ambiguous. I'm looking at our internal apps and it looks like we managed to use both of them with success, but in order o eliminate variations can you also assign Exchange Mail.Read rights?

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

i have added legacy exchange rights.

no luck. still the same error.

do i need to wait for some time?

Capture.PNG

 

 

 

 

 

 

 

 

 

i dont have Office 365 Exchange Online to choose. only this legacy Exchange.

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

Looks like Admin Consent is no longer checked.

0 Likes
Highlighted
Micro Focus Frequent Contributor
Micro Focus Frequent Contributor

This is how the rights look for me in the new and "improved" management page. Looks like Exchange online is now Exchange.api2.jpg

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

it says tath admin consent is not required. i have assked for admin consent for Graph APi permission and our admin gave grants.

my input for Get Authorization is sam as yours in post about documentation except for loginAuhority where i use https://login.microsoftonline.com/(tenantID)/oauth2/v2.0/token. i tried with yours version https://login.windows.net/tenantID/oauth2/token but i got sam error

Capture.PNG

0 Likes
Highlighted
Trusted Contributor.
Trusted Contributor.

Maybe MF OO is only working with Legacy API and i have to get admin consent for this new permission?

Person who is granting permission is on vacation. She will be back in 10 days.

so for now i have to wait and focus on other tasks.

tnx for help

i will post result when i get consent for legacy API.

0 Likes
Highlighted
Valued Contributor.. Valued Contributor..
Valued Contributor..
Please, send us updates about the results.
I have the same problem.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.